US-CERT Technical Cyber Security Alert TA04-336A -- Update for Microsoft Internet Explorer HTML Elements Vulnerability

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



             Technical Cyber Security Alert TA04-336A 

   Update for Microsoft Internet Explorer HTML Elements Vulnerability

  Original release date: December 1, 2004
  Last revised: --
  Source: US-CERT


Systems Affected

   Microsoft Windows systems running

     * Internet Explorer versions 6 and later (see MS04-040 for affected
       software and components)

     * Other programs that host the WebBrowser ActiveX control


Overview

   Microsoft Security Bulletin MS04-040 contains an update to fix a
   buffer overflow vulnerability in Internet Explorer.


I. Description

   TA04-315A describes a buffer overflow vulnerability in Microsoft
   Internet Explorer HTML elements that could allow a remote attacker to
   execute arbitrary code. Note that any program that hosts the
   WebBrowser ActiveX control could be affected. Microsoft Security
   Bulletin MS04-040 contains an update to fix this vulnerability.

   The vulnerability is described in further detail in VU#842160.


II. Impact

   By convincing a user to view a specially crafted HTML document (e.g.,
   a web page or an HTML email message), an attacker could execute
   arbitrary code with the privileges of the user. The attacker could
   also cause IE to crash.

   Reports indicate that this vulnerability is being exploited by
   malicious code referred to as MyDoom.{AG,AH,AI} or Bofra.


III. Solution

Install an update

   Install the appropriate update according to Microsoft Security
   Bulletin MS04-040. For additional information about the update,
   including possible adverse effects, please see Microsoft Knowledge
   Base articles 889293 and 889669.


Appendix A. References

     * Microsoft Security Bulletin MS04-040 -
       <http://www.microsoft.com/technet/security/bulletin/ms04-040.mspx>

     * MS04-040: Cumulative Security Update for Internet Explorer (IE 6.0
       SP1) - <http://support.microsoft.com/kb/889293>

     * An update rollup is available for Internet Explorer 6 SP1 -
       <http://support.microsoft.com/kb/889669>

     * US-CERT Technical Cyber Security Alert TA04-315A -
       <http://www.us-cert.gov/cas/techalerts/TA04-315A.html>

     * Vulnerability Note VU#842160 -
       <http://www.kb.cert.org/vuls/id/842160>

     * About the Browser (Internet Explorer - WebBrowser) -
       <http://msdn.microsoft.com/workshop/browser/overview/Overview.asp>

     _________________________________________________________________

   Feedback can be directed to the authors: Will Dormann and Art Manion.

   Send mail to <cert@xxxxxxxx>.

   Please include the Subject line "TA04-336A Feedback VU#842160".

     _________________________________________________________________

   Copyright 2004 Carnegie Mellon University. 

   Terms of use:  <http://www.us-cert.gov/legal.html>

     _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA04-336A.html>

     _________________________________________________________________
 

   Revision History

   December 1, 2004: Initial release



-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQa5IqhhoSezw4YfQAQK9ZAf7BHn69m5KRp64ePmJii0a1UCmZLimEdoF
16f11YLjUZljUvCjDD21pPv0jiPYY5cmFcHXZdlpovu/x6FnxuNvmV0GUYGENy27
qSzBt6aHc2oAHsouxb77x9ZIlg/k6+yjX82HqcR9+ITIXDx5SfTEz4jJsCJ86I7y
UTZqpMSQIniE8QDJ2VsoVnLylvC1RqgUCEXf+/526XDu/udIpQ+pahuewNUy+bgH
cj28U7WnjEAI9X/dgmCKu9znTtSfFL0Lm1YxDvF/tH1+q/9z9KmdldT16HbGPjJO
K0xbbFkpgKy9apXTF3MOzlb/ehXMXLgOwV37IXCD49TAhQy2FBe5CQ==
=w9cf
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux